How to get Hacked – Part 2

How to get hacked Part 2 continues down the road map of how to get hacked quickly and efficiently.

  • Use Git Hub to back up keys, passwords, and certs for revision control
  • Put a backdoor in your code. It will make it easier for you to get in later
  • Use WPS on your WiFi, better yet use WEP or best yet just leave your wifi open
  • Join public wifi whenever possible
  • Ransomware is probably a new fashion line.  Better to not think about it too much
  • Jailbreak or root your phone. Also  install apps from other places besides the app store. Once done do your banking
  • Email as much sensitive information as possible. Social security number? Yes.  Credit cards? Most definitely
  • If someone needs money now dont call and check, just transfer it. Who are you to question your boss?
  • Click on everything! If its a link, click on it. If its an attachment, open and run it. If the attachment needs macros, allow them
  • Give apps and websites permission to access contacts, text messages and email
  • Don’t remove services, what if you need them later?
  • Policies are meant to be broken
  • Run as Admin, root, SU or sudo. Iit will drastically reduce the number of help desk tickets.
  • Dont do security awareness training. You got a firewall
  • Dont watch out for social engineering attacks  – better yet dont even know what social engineering attacks are. You are not an engineer anyway
  • Nigerian princes are nice guys and they do need help
  • Include make, model and as many manufacturer specifics of appliances and vendors you use in job postings
  • Insider threats? No way your employees would ever cause you harm intentionally or by accident
  • Seperating networks is hard. Flat is easy
  • Physical security? No need you are online
  • Yes you need a smart TV. You need everything to be smart
  • Denial of service? Don’t just deny them service, refuse them service
  • Logs are boring, best to not keep any
  • If you think you have been breached. Better to wait and see
  • WordPress plugins are your friend. Get the free ones that haven’t been updated since 2009
  • Alerts? Alerts for lunch is all you need
  • A report with a check next to compliant is the only reporting you need
  • Compliance asked if you had an IDS not if it was implemented properly. You can safely attest to having an IDS
  • Don’t do backups. You do things right the first time. Why would you need a backup?
  • If you are required to do backups make sure your backups have Password1 as the admin or SA ‘blank’
  • Don’t use encryption. Terrorist use that right?  
  • Don’t encrypt your phone/laptop/desktop, it sounds like a lot of work and you might end up with a cyber pathogen. What would people think if you caught that?
  • Use hidden inputs to specify what an HTML form should update, verifying the current user is authorized to update that resource takes way too much time to code and you sent it as a POST request, so it is safe
  • If the user is logged in, trust anything they do was intentional, csrf is a feature and makes Ajax requests way easier
  • Phishing? Clearly I don’t know how to spell and you don’t even like seafood
  • Better to just give everything a public IP address
  • Don’t fix bugs. Train sales that they are features
  • Process everything that is submitted with a form and save it straight to the database. Specifying each field is inefficient
  • VPN – stands for virtual page number right? Why would you need that?  
  • An alert or red X padlock on a website? Best to ignore and just click through it
  • Use Password1 or 123456 as your password
  • Default passwords make everything easier. If you forget, you can always google for it
  • Use same password for all websites for personal and business use. No brainer, way easier to remember and keep track of
  • Don’t use a password on your phone. If you are required to for work best to use 1234 or 1111 as your pin
  • Putting password on post it notes on your monitor or under your keyboard is a very safe and secure method
  • Ad blockers? Not needed, ad servers and ads are all legitimate and vetted by large corporations
  • Don’t use a password vault manager. Sounds expensive
  • Unlimited password attempts is the only way to go. Remember that one time you had to wait? Not worth it
  • Don’t use two factor authentication. Factoring is like taking a number apart, right? Math is hard
  • Security tools run themselves.  “Set it and forget it!”
  • Security debt can be paid for with tears
  • Don’t hire internal or external security professions. You got a developer and or a sys admin your sure they are taking care of security
  • Cyber insurance? Not needed. They cannot get into your secure systems

Looking for How to Get Hacked – Part 1?